Friday, June 3, 2011

Are Indian Banks Ready For Cyber Due Diligence?

Recently Reserve Bank of India (RBI) constituted a working group on information security that gave its report to RBI. Subsequently RBI issued a notification asking the bank to follow the guidelines and recommendations mentioned in the notification. The notification had demarcated the immediately implementable and subsequently implementable aspects of these recommendations.

This “notification” has set a specific timeline for implementation of the final recommendations of working Group. While not all these recommendations are immediately implementable yet some of them are and banks of India must comply with the same till October 31, 2011, informs B.S.Dalal, senior partner of New Delhi based law firm Perry4Law and an ex manager of RBI. These mandatory recommendations pertain to policies and procedures which do not require extensive investment, informs Dalal.

In order to provide focused project oriented approach towards implementation of these guidelines, banks would be required to conduct a formal gap analysis between their current status and stipulations as laid out in the circular and put in place a time-bound action plan to address the gap and comply with the guidelines.

However, banks need to ensure implementation of basic organizational framework and put in place policies and procedures which do not require extensive budgetary support, infrastructural or technology changes, by October 31, 2011. The rest of the guidelines need to be implemented within period of one year unless a longer time-frame is indicated in the circular. There are also a few provisions which are recommendatory in nature, implementations of which are left to the discretion of banks.

It is clear that not all provisions of the report are discretionary but only a small portion of the same. Banks have to establish adequate cyber security and cyber due diligence mechanisms within stipulate periods otherwise action can be taken against them by RBI.

Recently RBI imposed penalty upon 19 banks for non compliance of prescribed standards. Similarly, RBI has also directed that any strictures passed against directors of a bank by any financial sector regulators must be reported to it. Non compliance of the recommendations of RBI working group may attract both penalty and strictures, suggest B.S.Dalal.

The notification also suggests a quarterly review process and the first calendar quarter after the issue of the guideline falls on 30th June 2011. Banks must do the needful in their own interest. They may also seek the expert techno legal services of Perry4Law and Perry4Law Techno Legal Base (PTLB) in this regard. Interested banks and financial institutions may contact them in this regard.